Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 676911 - SSSD attempts to use START_TLS over LDAPS for authentication
SSSD attempts to use START_TLS over LDAPS for authentication
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd (Show other bugs)
6.0
Unspecified Unspecified
unspecified Severity urgent
: rc
: ---
Assigned To: Stephen Gallagher
Chandrasekar Kannan
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2011-02-11 14:55 EST by Stephen Gallagher
Modified: 2015-01-04 18:46 EST (History)
5 users (show)

See Also:
Fixed In Version: sssd-1.5.1-6.el6
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-05-19 07:38:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0560 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2011-05-19 07:38:17 EDT

  None (edit)
Description Stephen Gallagher 2011-02-11 14:55:33 EST 
Description of problem:
SSSD always attempts to use the START_TLS function when performing LDAP auth. However, some LDAP servers (especially those sitting behind SSL accelerators) cannot handle TLS over LDAPS. This prevents authentication from succeeding on those platforms.

Version-Release number of selected component (if applicable):
sssd-1.2.1-28.el6_0.4

How reproducible:
Proof that this is happening is easily seen in the debug logs, however the auth failure requires a fairly complicated configuration.

Steps to Reproduce:
1. Configure SSSD with ldap_uri = ldaps://ldap.example.com and auth_provider = ldap
2. Set DEBUG logs to level 4 or higher (debug_level = 4)
3. Perform an LDAP user login through SSSD.
  
Actual results:
Logs include a line like:
(Fri Feb 11 14:27:08 2011) [sssd[be[default]]] [sdap_connect_send] (4):
Executing START TLS

Expected results:
SSSD should not attempt to start TLS.

Additional info:
Extensive mailing list thread on sssd-devel:
https://fedorahosted.org/pipermail/sssd-devel/2011-February/005651.html
Comment 3 Gowrishankar Rajaiyan 2011-04-06 08:05:12 EDT 
No more "Executing START TLS" message logged in the domain logs while authenticating against ldaps.

Snippet from /var/log/sssd/sssd_default.log:
(Wed Apr  6 16:40:17 2011) [sssd[be[default]]] [auth_resolve_done] (8):
[ldaps://sssdldap.redhat.com:636] is a secure channel. No need to run START_TLS

Verified.

# rpm -qi sssd | head
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.5.1                             Vendor: Red Hat, Inc.
Release     : 24.el6                        Build Date: Sat 02 Apr 2011 01:24:54 AM IST
Install Date: Tue 05 Apr 2011 11:11:29 AM IST      Build Host: x86-012.build.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.5.1-24.el6.src.rpm
Size        : 3462740                          License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon
Comment 4 errata-xmlrpc 2011-05-19 07:38:36 EDT 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html
Comment 5 errata-xmlrpc 2011-05-19 09:09:31 EDT 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0560.html
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.